skip to main content
article

Defeating DDoS attacks by fixing the incentive chain

Published:01 February 2007Publication History
Skip Abstract Section

Abstract

Cooperative technological solutions for Distributed Denial-of-Service (DDoS) attacks are already available, yet organizations in the best position to implement them lack incentive to do so, and the victims of DDoS attacks cannot find effective methods to motivate them. In this article we discuss two components of the technological solutions to DDoS attacks: cooperative filtering and cooperative traffic smoothing by caching. We then analyze the broken incentive chain in each of these technological solutions. As a remedy, we propose usage-based pricing and Capacity Provision Networks, which enable victims to disseminate enough incentive along attack paths to stimulate cooperation against DDoS attacks.

References

  1. Ba, S., Stallaert, J., and Whinston, A. B. 2001. Research commentary: introducing a third dimension in information systems design---the case for incentive alignment. Information Systems Research 12, 225--239. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Badishi, G., Keidar, I., and Sasson, A. 2004. Exposing and eliminating vulnerabilities to denial of service attacks in secure gossip-based multicast. In Proceedings of the International Conference on Dependable Systems and Networks (DSN'04), Palazzo dei Congressi, Florence, Italy, June, 223--232. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Cavusoglu, H., Mishra, B. K., And Raghunathan, S. 2002. The effect of internet security breach announcements on market value of breached firms and internet security developers. Workshop on Information Systems and Economics Program, Barcelona, Spain, December.Google ScholarGoogle Scholar
  4. Chang, R. K. C. 2002. Defending against flooding-based distributed denial-of-service attacks: a tutorial. IEEE Comm. Mag. 40, 42--51. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Currier, K. M. 2000. Comparative Statics Analysis in Economics, World Scientific Publishing Co.Google ScholarGoogle Scholar
  6. Ettredge, M. and Richardson, V. 2002. Assessing the risk in E-commerce. In Proceedings of the 35th Hawaii International Conference on System Sciences (HICSS'02) vol. 7, Big Island, Hawaii (January), IEEE Computer Society Press, Los Alamitos, CA, 194. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Geng, X. and Whinston, A. B. 2000. Defeating distributed denial of service attacks. IEEE IT Professional 2, 36--41. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Geng, X., Gopal, R., Ramesh, R., and Whinston, A. B. 2003. Scaling Web services with capacity provision networks. IEEE Comput. 36, 64--72. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Geng, X., Gopal, R., Ramesh, R., and Whinston, A. B. 2005. Capacity provision networks: foundations of markets for internet caching. In Proceedings of the 10th INFORMS Conference on Information Systems and Technology (CIST), San Fransisco, CA (November).Google ScholarGoogle Scholar
  10. Geng, X., Huang, Y., and Whinston, A. B. 2002. Defending wireless infrastructure against the challenge of DDoS attacks. ACM J. Mobile Netw. Appl. 7, 213--223. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Gupta, A., Stahl, D. O., and Whinston, A. B. 1999. The economics of network management. Comm. ACM 42, 57--63. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Harvey, N. J. A., Jones, M. B., Saroiu, S., Theimer, M., and Wolman, A. 2003. Skipnet: A scalable overlay network with practical locality properties. In Proceedings of the Fourth USENIX Symposium on Internet Technologies and Systems, Seattle, WA (March). Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Huang, Y., Geng, X., and Whinston, A. B. 2003. Network mapping services for provisioning of decentralized web services: promises and issues. In Proceedings of the 2nd Workshop on e-Business, Seattle, WA (December).Google ScholarGoogle Scholar
  14. Ledyard, J.O. and Szakaly-Moore, K. 1994. Designing organizations for trading pollution rights, J. Eco. Behav. Org. 25, 167--196.Google ScholarGoogle ScholarCross RefCross Ref
  15. Kleinbard, D. 2000. More sites hacked in wake of Yahoo!. CNN Money News (Feb. 8), Published on the Web, <http://money.cnn.com/2000/02/08/technology/yahoo>.Google ScholarGoogle Scholar
  16. Mirkovic, J., Dietrich, J. S., Dittrich, D., and Reiher, P. 2005. Internet Denial of Service: Attack and Defense Mechanisms. Prentice Hall PTR, Indianapolis, IN. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Naraine, R. 2002. Massive DDoS attack hit DNS root servers. Internetnews.com (Oct. 23), Published on the Web, <http://www.internetnews.com/dev-news/article.php/1486981>.Google ScholarGoogle Scholar
  18. Ng, T. S. E. and Zhang, H. 2002. Predicting Internet network distance with coordinates-based approaches. In Proceedings of IEEE INFOCOM 2002, New York, NY (June).Google ScholarGoogle Scholar
  19. Norton, W. B. 2002. A business case for ISP Peering, Published on the Web, <http://www.equinix.com/pdf/whitepapers/Business_case.pdf>.Google ScholarGoogle Scholar
  20. Saltzer, J. H., Reed, D. P., and Clark, D. D. 1984. End-to-end arguments in system design. ACM Trans. Comput. Syst. 2, 277--288. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Stahl, D. O. and Whinston, A. B. 1994. A general economic equilibrium model of distributed computing. In New Directions in Computational Economics, Kluwer Academic Publishers, London, UK, 175--189.Google ScholarGoogle Scholar
  22. Wang, L., Pai, V., and Peterson, L. 2002. The effectiveness of request redirection on CDN robustness. In Proceedings of the 5th Symposium on Operating System Design and Implementation, Boston, MA (December), 345--360. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Wang, X. and Reiter, M. K. 2004. Mitigating bandwidth-exhaustion attacks using congestion puzzles. In Proceedings of the 11th ACM Conference on Computer and Communications Security, Washington, DC (October), 257--267. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Xiang, Y., Zhou, W., and Chowdhury, M. 2004. A survey of active and passive defence mechanisms against DDoS attacks. Tech. Rep., TR C04/02. School of Information Technology, Deakin University, Australia (March).Google ScholarGoogle Scholar

Index Terms

  1. Defeating DDoS attacks by fixing the incentive chain

                          Recommendations

                          Reviews

                          Myles F. McNally

                          Want to disable an Internet content provider (ICP) like Yahoo! or Amazon__?__ Or perhaps you are interested in attacking the Department of Defense Web site or other government sites. Then a denial of service (DoS) attack is for you. Simply overwhelm the target site with Internet traffic. Even if its gateway routers prevent the attack from reaching its content servers, the site itself is compromised. To massively flood such a site, recruit (that is, attack and takeover) a legion of "zombie" computers across the Internet and then launch the attack simultaneously from each of them (a distributed denial of service attack (DDoS)). To get a sense of the potential size of such an attack, consider the case of so-called "Botmaster" Jeanson James Ancheta, who in 2005 pled guilty to charges of conspiracy, damaging computers used by the US government, and fraud. He and others recruited over 400,000 zombie computers, including machines in a weapons division of a US Naval Air Warfare Center, and were leasing subnets of these zombie machines to others for use in DDoS attacks and massive spam mailings. Since DDoS attacks have been going on for some time, why has no effective means been found to prevent them or at least minimize their effects__?__ Actually, the authors of this paper claim that such means already exist, but organizations in the best position to implement them have no economic incentive to do so. Under our current Internet organizational structure, only the target of the attack (the ICP) and indirectly its regional Internet service provider (ISP) have economic incentives to prevent particular attacks. While the ICP itself is simply overwhelmed, the providing ISP is likely to have so much excess capacity that it is not compromised. The excess capacities of the regional ISPs to which the zombie computers connect and the backbone ISP networks over which they communicate mean that those systems are not comprised either. Given that DDoS attacks do not comprise their services, the ISPs have no incentive to implement what Huang, Geng, and Whinston take to be the two most effective ways to handle DDoS attacks: cooperative filtering and cooperative caching. Both of these techniques are designed to blunt attacks once they are underway. As their names suggest, they require wide-scale cooperation among ISPs. Achieving such cooperation requires fixing the "incentive chain," which currently stops prematurely at the content provider. In cooperative filtering, ISPs along the attack path filter out attack traffic. This involves three phases: alarming, where an intrusion detection system identifies suspicious traffic; tracing, the tracking back as far as possible along each attack path; and filtering, where ISPs far back along each path simply filter out attack traffic. The most effective tracking would require ISPs to ban Internet protocol (IP) spoofing (the use of false IP addresses), which could be done by the immediate ISPs of attacking computers. This would allow attacking zombie computers to be identified and then taken offline. How can an economic incentive be provided to ISPs to take such actions__?__ The authors suggest switching from a subscription-based capacity model, where all of the players routinely have far more bandwidth than they need, to a dynamic model, in which each player pays for actual bandwidth used. In such a system, everyone would have an incentive to use network resources judiciously, and in particular eliminate spurious traffic. Many ISPs using caching to provide faster service to their own customers. Cooperative caching involves ISPs providing caching services to noncustomers as well. If a request could be satisfied by any number of caching servers across the Internet, the quality of service provided to all customers would be improved. Almost as a side benefit, the effects of DDoS attacks would be diluted. Rather than a particular site being overwhelmed with traffic, the many caching sites would be able to handle the increased traffic flow. Of course, there are issues with nonstatic content, which currently only the ICP could provide. But technologies like Edge Side Includes are being developed that would allow dynamic content to be generated at multiple locations rather than just at the ICP. To coordinate this caching scheme, the authors propose a capacity provision network market mechanism, in which regional ISPs have their caching organized by a third entity, which receives payments directly from the various ICPs. The authors spend a fair amount of time in the paper arguing the merits of this model, which seems promising. This is an interesting and important paper. Its diagnosis of why we can't seem to stop DDoS attacks leads to bold recommendations that would change the fundamental economic structure of the Internet. If we believe the arguments of the authors, such changes will lead not only to an end of DDoS attacks, but also to a higher quality of service for all Internet users. Online Computing Reviews Service

                          Access critical reviews of Computing literature here

                          Become a reviewer for Computing Reviews.

                          Comments

                          Login options

                          Check if you have access through your login credentials or your institution to get full access on this article.

                          Sign in

                          Full Access

                          • Published in

                            cover image ACM Transactions on Internet Technology
                            ACM Transactions on Internet Technology  Volume 7, Issue 1
                            February 2007
                            184 pages
                            ISSN:1533-5399
                            EISSN:1557-6051
                            DOI:10.1145/1189740
                            Issue’s Table of Contents

                            Copyright © 2007 ACM

                            Publisher

                            Association for Computing Machinery

                            New York, NY, United States

                            Publication History

                            • Published: 1 February 2007
                            Published in toit Volume 7, Issue 1

                            Permissions

                            Request permissions about this article.

                            Request Permissions

                            Check for updates

                            Qualifiers

                            • article

                          PDF Format

                          View or Download as a PDF file.

                          PDF

                          eReader

                          View online with eReader.

                          eReader
                          About Cookies On This Site

                          We use cookies to ensure that we give you the best experience on our website.

                          Learn more

                          Got it!